On Fri, May 12, 2017 at 6:02 PM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>
> This SubThread (going back to Kurt Roeckx's post at 08:06 UTC) is about
> suggesting a good format for sharing this info across libraries though.
> Discussing that on a list
On 12/05/2017 23:45, Ryan Sleevi wrote:
On Fri, May 12, 2017 at 2:15 PM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
On 12/05/2017 20:43, Ryan Sleevi wrote:
On Fri, May 12, 2017 at 1:50 PM, Jakob Bohm via dev-security-policy <
On Fri, May 12, 2017 at 2:15 PM Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On 12/05/2017 20:43, Ryan Sleevi wrote:
> > On Fri, May 12, 2017 at 1:50 PM, Jakob Bohm via dev-security-policy <
> > dev-security-policy@lists.mozilla.org> wrote:
> >
> >> Could
On 12/05/2017 20:43, Ryan Sleevi wrote:
On Fri, May 12, 2017 at 1:50 PM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
Could something be derived from / based on the ASN.1 format apparently
used by Microsoft in it's root store, with OpenSSL/Mozilla OIDs
On Fri, May 12, 2017 at 07:50:46PM +0200, Jakob Bohm via dev-security-policy
wrote:
> On 12/05/2017 10:06, Kurt Roeckx wrote:
> > From past discussion on the OpenSSL list, I understand that we want to
> > support a trust store that supports all such kind of attributes. Some
> > things like for
On Fri, May 12, 2017 at 1:50 PM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Could something be derived from / based on the ASN.1 format apparently
> used by Microsoft in it's root store, with OpenSSL/Mozilla OIDs added
> for things that have no Microsoft
On 12/05/2017 15:21, Gervase Markham wrote:
Mozilla policy requires that certificates issued in contravention of a
CA's CP/CPS should be revoked. Other than that, Mozilla policy does not
directly require that a CA operate in accordance with its CP and CPS. We
require this indirectly because the
On 12/05/2017 10:06, Kurt Roeckx wrote:
On 2017-05-11 17:57, Alex Gaynor wrote:
Ryan,
I think you've correctly highlighted that there's a problem -- the
Mozilla
CA store is "designed" to be consumed from NSS, and CA-specific
remediations are a part of that (hash algorithms, maximum certificate
On 2017-05-11 19:05, Gervase Markham wrote:
On 11/05/17 12:46, Rob Stradling wrote:
There's a "Created by" field (Username, Timestamp) and a "Last Modified
By" field (Username, Timestamp) in the CCADB, but neither of these
fields are currently provided in the public CSV reports that Mozilla
On 2017-05-12 17:31, Kurt Roeckx wrote:
On 2017-05-12 15:00, Gervase Markham wrote:
Because the Mozilla root store is used by more people than Mozilla,
Kathleen would like to put anyEKU in scope even though Firefox ignores
it.
I think the CCADB document needs to be updated too.
It might
On 2017-05-12 15:00, Gervase Markham wrote:
Because the Mozilla root store is used by more people than Mozilla,
Kathleen would like to put anyEKU in scope even though Firefox ignores it.
I think the CCADB document needs to be updated too.
Kurt
Mozilla policy requires that certificates issued in contravention of a
CA's CP/CPS should be revoked. Other than that, Mozilla policy does not
directly require that a CA operate in accordance with its CP and CPS. We
require this indirectly because the audits that we require, require it.
This
Mozilla's Enforcement Policy indicates what to do when a serious
security concern is noticed, but does not indicate what to do when a
lesser security concern is noticed.
The current text is now in section 7, and says:
"Changes that are motivated by a serious security concern such as a
major root
On Thursday, 11 May 2017 19:08:06 UTC+2, Gervase Markham wrote:
> On 11/05/17 13:02, wiz...@ida.net wrote:
> > That said, it is fair point that the plan should spell out what happens if
> > symantec does not cooperate.
>
> I think we should cross that bridge when we come to it, which I hope we
14 matches
Mail list logo
